Get well soon

By William Jackson

Mar 05, 2007

Traditional, signature-based antivirus is a mature technology. The engines do a good job of scanning for malicious code, and vendors compete fiercely to get new signatures out to their customers. But no matter how well the system works, there is an inevitable window of vulnerability between the time new malware is discovered and signatures are distributed.

Vendors at the RSA security conference last month offered various alternatives for closing this window and defeating unwanted code on desktops and other endpoints. The new tools include white lists, blacklists, heuristics and sandboxes. Some of the tools are designed to be all things to all people, providing security beyond traditional antivirus protection.

The most recent release of the multifaceted Blink tool from eEye Digital Security Inc. of Aliso Viejo, Calif., includes antivirus and anti-spyware. Blink also includes host intrusion prevention, buffer overflow prevention, system and application firewalls, a phishing filter and a control engine to enforce security policies. eEye's new antivirus engine uses heuristics and rule violations as well as signatures to spot malware. Blink sandboxes incoming code and examines its behavior, blocking inappropriate activity. The system is effective enough to stop most malicious activity without a signature scan, so it offers protection before a signature is available, said Ross Brown, CEO of eEye Digital.

The iSolation Server from Avinti Inc. of Lindon, Utah, also uses a sandbox to detect malicious code. It is a last line of defense, analyzing suspect e-mail that has passed through traditional antivirus and anti-spam tools. As its name implies, it isolates messages on a simulated desktop environment, and 'we observe what that file does,' said Avinti CEO William Kilmer. 'We're catching things that can't be caught by other systems.'

The newest release of the Parity tool from Bit9 Inc. of Cambridge, Mass., creates a white list of acceptable software and peripheral devices that can run on a platform, blocking the execution of any new code that does not come from a trusted source, said Bit9 chief marketing officer Tom Murphy. This lets Parity block malicious code before signatures are available.

Parity's selling point is that, in addition to a white list of approved code and a blacklist of banned code, it gray-lists any unknown code until a decision is made on how to deal with it. Policies about acceptable software and device use can be built for workgroups. When the agent is first loaded, it conducts a discovery of software already on the device and creates a hash of each piece of software so it can be identified and tracked. Whenever a new file is written to the disk, Parity examines it to see if it is an executable, and if it is, checks it against the user's policy of allowable software, executing white-listed code and blocking blacklisted.

'The only way an attack could possibly happen is in a memory-based attack, where no file is written,' Murphy said. 'That is rare, but it